cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1939
Views
0
Helpful
2
Replies

Access Control List - Packet Tracer Help

louie.whitsey
Level 1
Level 1

Hi everyone,

I am quiet new to packet tracer. I am currently having trouble with creating an access control list for my packet tracer file. I am aware of the deny and permit commands, but not to sure what 2nd IP address should be used at the source of the blockage.

There are 3 VLANS on the network.

VLAN 10, VLAN 20 and VLAN 99

I am attempting to use an extended ACL commands for these 3 VLANS.

VLAN 10 I want to deny access to FTP services bit permit all other traffic.
VLAN 20 I want to deny HTTP services and permit all other traffic
VLAN 99 I want to permit access to all locations and protocols

I was looking at naming each control list the following:

VLAN 10: Access control list 110
VLAN 20: Access control list 120
VLAN 99: Access control list 199

The VLAN 10 IP address is 172.18.10.0
The VLAN 20 IP address is 172.18.20.0
The VLAN 99 IP address is 172.18.99.0

The router that is the first source contact has a GIG interface to a switch but that currently does not have an IP Address, there is a serial link going from the first source router to the 2nd with the IP address 172.18.5.2 

Thanks

2 Replies 2

louie.whitsey
Level 1
Level 1

Here is an image of the packet tracer file

Let me start by saying that I do not claim much expertise in packet tracer. But I believe that your question is really about functionality in access lists and not about packet tracer. I am much better able to address questions about access list functionality than I am about packet tracer.

Your description and your diagram do not make clear how the router is configured. Am I correct that the interface on what appears to be a 2911 identified as ford which connects to the switch is configured with subinterfaces for each of the vlans? And am I correct that each of the access lists that you describe will be applied on the appropriate subinterface as "in"? (it makes significant difference whether the access list will be applied "in" or applied "out")

At a high level your question is what to use in the second address of the access list. So let us first review some fundamentals of access lists. The first address refers to the source address of the packet while the second address refers to the destination address of the packet. So since the policy that you want to enforce will evaluate based on protocol (FTP or HTTP) and not on any particular destination address then the second address in your access list will be "any".

The other high level thing to remember that an access list used to filter data packets must include at least one permit. So in your access list after you deny the traffic that you do not want to go through you need to permit everything else.

So your access lists might look something like this

access-list 110 deny tcp 172.18.10.0 0.0.0.255 any eq 20-21

access-list 110 permit ip 172.18.10.0 0.0.0.255 any

!

access-list 120 deny tcp 172.18.20.0 0.0.0.255 any eq 80

access-list 120 permit ip 172.18.20.0 0.0.0.255 any

!

access-list 199 permit ip 172.18.99.0 0.0.0.255 any

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card